Infosec and things.

GPT LUKS LVM Arch Install Guide 2016

Intro

Hey everyone. I decided to make this install guide because I found most other guides out there now either out of date, or not quite what I needed for my particular system.

I have an encrypted install of Arch Linux now running using LUKS, LVM, a GPT table, on an SSD. Another part to this is that, instead of just using different partitions for different operating systems, I actually fully install various OSes on separate drives entirely. Right now, I have:

Arch Linux on a 1TB SSD (Main System)

Windows 10 on a 2TB Hybrid Drive (Gaming only)

Spare blank 1.5TB drive for backups/data dump

Most guides that I found had advice for dual-booting but only if the OSes were on the same disk, just different partitions, or were using old MBR partitioning, or didn’t have a full disk encrypt setup.

What you can do with this guide

This guide will show you how to do a step by step install of Arch Linux, using UEFI boot, GPT, and encrypting your entire disk with LUKS and LMV.

To jump ahead slightly, at the end I’m using bootctl as the boot manager which will also automatically detect my Windows 10 install as long as Windows Fast Boot is disabled (applicable for Win 8 and 10).

However, this setup will work just as well if you’re not dual booting at all.

REMINDER

This guide will use the ENTIRE DISK to install Arch Linux! If this is NOT what you want, tweak the partitioning portion of this guide to be what you need/want.

Resources

Big thanks to the Arch Community in general and to SuddenKernelPanic for the disk encryption information.

Install Guide

System/Disk Prep

Boot into UEFI USB

Connect to wifi

# wifi-menu

Test connection

# ping -c 2 google.com

Set NTP

# timedatectl set-ntp true

Check to see what disk you want to install

# lsblk

NOTE: Most of the time, if you’re installing on your main disk, you’ll be using /dev/sda as your disk. However, if this is a secondary or tertiary disk, you may be using /dev/sdb or /dev/sdc. After this point, I use /dev/sdX, so fill in the X variable with whatever you need.

Partition your disk

# gdisk /dev/sdX

Print current table

# p

New GPT table

# o

Confirm

# y

Create new partitions NOTE: I just give the commands you’ll enter next. Be sure to read the output to make sure this paritioning will work for you!

What the following commands do: Create a new 200M partition to be used as /boot Then, create another partition using the rest of the disk space. This will later become your LVM partition where we break it out into logical volumes.

Open encrypted partition to set up LVM NOTE: You can use any name instead of crypt and lvmpool below. I chose those based on the SuddenKernelPanic blog and didn’t feel like coming up with different names.

# cryptsetup luksOpen /dev/sdX2 crypt

Create physical volume mapper and logical volume.

# lvm pvcreate /dev/mapper/crypt

# lvm vgcreate lvmpool /dev/mapper/crypt

Create logical partitions for LVM. I have 35GB for root (probably more than necessary, but I had 1TB to play with so why not), 8GB for swap (half my RAM), and the rest of the disk to home.

Change the host name of your system. Remember to have this unique to your network.

# vi /etc/hostname

Install necessary wifi software

# pacman -S iw wpa_supplicant dialog

Change root password

# passwd

Logout and unmount partitions, reboot

ctrl-d

# umount -R /mnt

# reboot

Did it work?! Hopefully if you followed all the above steps, you were greeted with a prompt to enter your disk encryption password, then a login shell. If so, congratulations! You now have Arch Linux installed and encrypted on your computer!

That’s all the hard part. REMEMBER! If something didn’t work right, you can always boot back into the live USB and edit any of the work we did without losing your progress. For example, did you forget to edit the boot config? Just boot back into the system with a live USB, mount the drives to the system again, log into Arch # arch-chroot /mnt /bin/bash, # cryptsetup luksOpen /dev/sdX2 crypt, and change the configurations you need.

Further Setup

Assuming you got your login shell, you can stop here and customize your setup as you wish. However, I’ve also included some of the things I did to get my system set up with GNOME, set my local user account, and install some basics. You can use this as a guide so you’re up and running with a GUI and non-root admin account.

Post-install Setup

Start installing some basics. All of these steps are OPTIONAL. You do not have to install any of the things I have listed below. This is just what I did on my system. I have them here as a guide in case you’re not sure where you want to go from here.

NOTE: I have an NVIDIA graphics card, so I’m installing packages for NVIDIA.
If you have AMD or Intel, check Arch Linux General Recommendations for help on what packages to install for your particular system.

Install GNOME. NOTE: Now, GNOME wants to install a lot of bloatware by default. I, personally, wanted my system to have as little extra crap as possible, so I only selected the packages I wanted to have installed. You can check all the default packages here and select which you want to install:

Related

6 thoughts on “GPT LUKS LVM Arch Install Guide 2016”

Great guide, thanks so much for this! Quick question though: I’m hoping to dual boot Arch and Windows 10. I know at the beginning of your guide you mentioned that your method is compatible with this setup.

However, I’m still unsure how to go about doing this. If I wanted to install Windows 10, and have both partitions encrypted, how would that figure into the instructions you have?

Hi Alex,
Sorry for the late reply, but thank you very much! I’m glad you found this guide useful!

There are a few different ways that I could see doing this with a dual boot. The problem with the exact layout as I have it here, is that I’m not sure the Windows installer would allow you to decrypt the drive before installing Windows to a specific partition, as Linux does.

What I would recommend you looking in to, is actually going through the Arch install *without* doing the disk encryption as I have detailed here (just typical setup), and leave a partition for Windows. After Windows is installed alongside Arch (both unencrpyted), utilize VeraCrypt to do a full disk encryption of the drive. This should wrap the encryption around both OSes. I haven’t tried doing this myself to verify, but I believe you should be able to do something like this.

The reason I had them on separate drives is because I prefer to have things segmented that way, but of course I understand that isn’t reasonable for a laptop or even some desktops.

Thanks for the reply, and sorry for my delayed response. I was able to install Arch using the instructions above. I set aside some free space for Windows, and created a partition for boot and an encrypted container for swap, home, and root. Then, I followed your above instructions to install Arch. When I was all done, I just booted to the Windows install media, and installed Windows 10 on the free space.

My BIOS (UEFI) was able to figure things out. Accessing the boot select options allowed me to choose Arch or Windows on startup, and each one worked perfectly. I was even able to configure Bitlocker to use the TPM after the Windows install.

Unfortunately, I then tried to self-sign my Linux kernel and save the keys to the TPM to have secure boot enabled for both Windows and Linux. In doing so, I managed to somehow wipe the boot entries for Arch and Windows, and had to start the process over. I’ve given up on that part for now.